The present invention relates to methods and devices for packet tagging using IP (internet protocol) indexing via dynamic-length prefix code.
In recent years, security has become an increasing concern in information systems. This issue has become more significant with the advent of the Internet and the ubiquitous use of network environments (e.g. LAN and WAN). An important area of IT security is ensuring that only authorized and well-secured machines are allowed access into a local network. This area is known as Network Access Control or NAC.
In the prior art, U.S. patent application Ser. No. 12/056,462 by Motil et al. (hereinafter Motil '462) filed on 27 Mar. 2008, and assigned to the assignee of the present invention, discloses methods and devices for enforcing network access control utilizing secure packet tagging, and is incorporated by reference as if fully set forth herein.
A problem arises in current prior-art solutions when multiple identities “behind” the same IP address need to be distinguished by the Policy Enforcement Point (PEP, typically implemented on a security gateway). While packet tagging allows the PEP to validate the source of IP packets, it does not provide solutions to situations in which different users share the same IP address. These situations include:                (1) NAT (Network Address Translation) devices between the clients and the PEP; and        (2) multiple users sharing the same machine (e.g. normal multi-user operating systems, or terminal services).        
Since the amount of space (number of bits) that can be used for packet tagging is severely limited, there is a clear trade-off between the use of this space for distinguishing multiple entities, and for security (e.g. in the form of a cryptographic hash). Therefore, a dynamic solution, in which the number of entities is determined at run-time, can optimize such a trade-off by maximizing the number of bits used to provide security.
It would be desirable to have methods and devices for packet tagging using IP indexing via dynamic-length prefix code. Such methods and devices would, among other things, provide an ability to distinguish between different identities that share the same IP address in order to allow the PEP to give each one of the users his/her own network access.